[cap-talk] Re: "capabilities" as data vs. as descriptors - OS security discussion, restricted access processes, etc.

Ian Grigg iang at systemics.com
Sun May 2 16:12:44 EDT 2004 

Hi guys,

I found this part very important - the
definition of the capabilities - and
recorded it over on the FC blog (follows,
FTR of cap-talk).

iang



((((((( Financial Cryptography Update: Definition of Capabilities )))))))

                               May 02, 2004


------------------------------------------------------------------------

http://www.financialcryptography.com/mt/archives/000126.html



------------------------------------------------------------------------

There are several models of rights out there - nyms, capabilities,
bearer, account.  One observation that has been made by Jeroen van
Gelderen is that nyms (especially, SOX) as a model is a case of
capabilities.  What that means, beyond the superficial, has always been
up in the air.	The somewhat presumption was that SOX is a subset, or
implementation of capabilities.  Or, that SOX is capabilities
hard-coded, whereas E, by contrast, is capabilities in the language.

The capabilities people (them) and the nym people (us) haven't really
seen eye to eye on the lucidity of each other's documentation, so
distance remained.  Now, Jed Donnelley has broken ranks and cast his
view of a definition of an Internet capability model.

With such a definition in hand, it's now possible to compare SOX, and
any other nymous system, against the capabilities model.  Best case,
we'll show the original observation was right, and we can get on with
the life of us and them.  Worst case, we'll show it as being wrong, and
we'll be forced to write our own definition.

That, I'll defer.  For now, here's Jed's definition (no URL as yet).


-------- Original Message --------
Subject: [cap-talk] Re: "capabilities" as data vs. as descriptors - OS security discussion, restricted access processes, etc.
Date: Thu, 29 Apr 2004
From: Jed Donnelley <jed at nersc.gov>
To: cap-talk at mail.eros-os.org

[big snip]

1. Definition of what you might call an Internet capability model. This
  could be something along the lines of:

http://www.webstart.com/jed/papers/Managing-Domains/#s13

though I think modern encryption technology would suggest a
  rework. The basic idea would be to define a protocol for sending
  blocks of bits that:

a. Can securely represent the right to do anything that a service
  (server) process might chose to make available.

b. Can be communicated securely - hopefully without contacting
  the service process except of course when it is the source or
  destination of the rights communication directly.

c. Is safe from evesdropping. That is, the form that the capability takes
  when it's in, say, a processes memory space or in an email message,
  cannot be used by any entity other than the owner of the memory
  space (a process) or the email (presumably a person).

d. Extra points for including a rights reduction mechanism that doesn't
  require permission from the server.

[another big snip]

Can we agree on that much?

--Jed http://www.nersc.gov/~jed/

-- Powered by Movable Type Version 2.64 http://www.movabletype.org/

More information about the cap-talk mailing list